Page01 Withheld pursuant to exemption s of the Freedom of Information Act NCCIC US-CERT EKan WBERSEQRITY AND INTEGRATION CENTER UNITED STATES COMPUTER EMERGENCY RWNE SS TEAM Malware Initial Findings Report - 10124171 2017-05-14 Notification This report is provided as is for informational purposes only The Department of Homeland Security DHS does not provide any warranties of any kind regarding any information contained within The DHS does not endorse any commercial product or service referenced in this bulletin or otherwise This document is marked Disclosure is not limited Sources may use when information carries minimal or no foreseeable risk of misuse1 in accordance with applicable rules and procedures for public release Subject to standard copyright rules information may be distributed without restriction For more information on the Traffic Light Protocol see m Summary Description Three files were submitted to US-CEHT for analysis All files are confirmed as components of a ransomware campaign identified as WannaGry a k a or The first file is a dropper which contains and runs the ransomware propagating via the M817 010iEternalBlue 0 exploit The remaining two files are ransomware components containing plug-ins responsible for the victim's files Displayed below is a signature that can be used to detect the ransomware meta description Detects WannaCryFiansomware on Disk and in Page author Code Analysis Team reference not set date 2017i05i 12 hash0 strings $s0 $s1 $s2 $53 Microsoft Enhanced PISA and AES $54 $s5 StartTask $s6 wcry@123 2 $58 unzip 0 15 Copyrigh $59 $510 $511 2 7363537461 274 00000 0742 T6 63 $512 $513 $514 wcry@123 $515 condition$58 and $59 and $510 or $511 and $512 or $513 or $514 or $515 Files Processed 39 0252d450a21c8e43c9742235c48e91 ad m_chinese simplifiediwnry 02 5ac 9fc5b5257c50a031 de71f201 bf 1 T1 94003faT0ce47 326ce2f6deeb270 m_croatian wnry im_danish wn ry m_chinese traditionaliwnry US-CERT MIFR-10124171 1 of41 m_italian wnry m_ro manian wnry 35 2iQTeeaBB1 9131 caebd23fee 32d81 m_fi nnish wnry 3 881910694dfc4891 241 7'0993356b0 m_indonesian wnry 78195401469 m_german wnry 452515db2335d af 92057431 e4cab5 m_russian wnry 4421311312321 4c0 143abeeaib695d904 m_french wn ry 4fef e341 433646dbf990 c43 427615 Ias exe 531 baBb1 a5460f09446946f91008094b m_turkish wnry m_czech wnry 682i4d1ab8b7c2 cB2f4d1 abBchE 5dcaac357e695a65f503911441 3an 57350b431944832b061 eeb3f5956b099 m_korean wnry m_dutch wnry u wn ry B41 m_vietnamese wnry taskse exe m_spanish wnry 95673bU1968c0155b32204361 940m 84 m_bulgarian wn ry c wnry b wnry 033aib4eccodee1 m_lawian wnry m_swedish wnry c911 1aba4ab1dchEBchESEBabZaDECC m_slovak wnry BTQde2833a9c292553c7fe 4a1 106314 m_portuguese wnry m_g m_engli5h wnry m_n0nvegian wnry Domains Identified 6 gx ekbenv2riucmf onion 76jdd2ir29mbyv47 onion US-CERT MFR-10124171 2 0f41 Files 5bet35496tobdhe841c82f4d1 ab8b7o2 Details Name 5bef35 841 C32f4d l ab b71122 Size 372 3264 Type PE32 executable G Intel 80336 for MS Windows M05 ssdeep 983 O4zquPo th1alecSU qu Po l Entropyr 964251 2013 Antivirus HicroWorId-eScan nProtect CAT-QuiokHeal AL fac Malwarebytes AegisLab KTGW K7Anthirus Arcabit lnvincea Baidu Cyren Symantec Paloalto ClamAv GData Kaspersky BItDetender NANO-Antivlrus Avast Rising Ad-Aware Emsisott Comodo F-Secure DrWeb VIPFIE TrendMioro McAfee-GW-Edition Sophos Ikarus F-Prot Jiang min Webroot Avira Endgame ViFlobot ZoneAlarm US-CERT MFR-10124171 Trojan GenericKD 50553B HansomM32 Wanna 3723264 HansomWannaCryBot MI Attribute Gen c Exploit I Exploit Trojan Generic D4D2393 virtool win32 injector eg Win32 Worm Rbot a HansomWannaory genericml Win Trojan Agent-6313878-0 Trojan-Hansom Win32 Wannam Trojan GenericKD 505538 Trojan Win32 Wanna eorfmq Win32 WanaCry-A Trj cloudszwUsngNU Trojan GenericKD 505538 A Trojan GenericKD 50553B Trojan Encoder 11432 Trojan Win32 Generio BT Hansom-WannaCry 86T21 EB4FFBD TrojIWanna E Trojan Win32 Filecoder Trojan WanaCry i W32 Ransom Wannacry BDSiAgenlleda malicious high confidence Trojan RansomWinSEWannam 3of41 Microsoft AhnLab-V3 McAtee AVware VBA32 ESET-NDD32 Tencent SentinelOne Fortinet AVG Panda omen-360 MicroWorId-eScan nProtect CAT-QuickHeal Malwarebytes AegisLab K AntiVirus Arcabit Invincea Baidu Cyren Symantec Paloalto c'amAv GData Kaspersky BItDetender NANO-Antivlrus Avast Rising Ad-Aware Emsisoft Comodo F-Secure DrWeb VIPFIE TrendMicro McAiee-GW-Editlon Sophos Ikarus F-Prot Jiang min Webroot Avira Endgame ViFiobot Zone-Alarm US-CERT MFR-10124171 Trojan Win32 GenericlBT suspected of Trojan Downloader gen h Win32fExploit CVE-2017-0147A Win32 Trojan Hansomware Auto static engine - malicious Hansom_r CGA malicious_confidence_'l 00% W Win32 rojan ansom 50f Trojan GenericKD 5D5538 Hansom N32 Wanna 3723254 HansomWannaCryBot MI Attribute Gen c Exploit 0G50d7a31 Exploit 0050d7a31 Trojan Generic D4D2393 vinool win32 injector eg Win32 Worm FilJot a HansomWannacw genericml Win Trojan Agent-6313878-0 Trojan-Hansom Win32 Wannam Trojan GenericKD 505538 Trojan Win32 Wanna eorfmq Win32 WanaCry-A Trj cloudzonUsngNU Trojan GenericKD 505538 A Trojan GenericKD 50553B Trojan Encoder 11432 Trojan Win32 GenericlBT Troj Nanna-E Trojan Win32 Filecoder TrojanWanaCryj W32 Ransom Wannacry malicious high confidence Trojan-HansomWinSEWanna m 40f41 Microsoft AhnLab-V3 McAfee AVware VBA32 ESET-NOD32 Tencent SentinelOne Fortinet AVG Panda Qihoo-360 PE Information Trojan Win32 GenericlBT suspected of Trojan Downloader gen h Win32 Trojan Flansomware Auto static engine - malicious Hansom_r CGA malicious_confidence_100% W Win32ffrojan ansom 501 Compiled PE Sections Name MDE Haw Size Entropy header 4096 0 7 26699 text 36864 613459082612 rd ata 1803701 44b539326c06e39 625 1'51 cc9 4096 350361558618 data 159744 69111031131451 r rsrc 3513464 1995221 72756 Packers Name Version Entry Point Microsoft iliisual v6 0 NA NA Relationships F 5be13 F abBb c2 5bef3 Description Di Con nected_To Dropped rijfaew rwergweacom F 86 21 This artifact is a malicious PE32 executable that has been identi ed as a WannaCry ransomware dropper Upon execution the dropper attempts to connect to the following hard coded URI Displayed below is a sample request observed -Etegin request Host Cache Control no cache -End request - If a connection is established1 the dropper will terminate execution It the connection fails the dropper will infect the system with ransomware When executed the maiware is designed to run as a service with the parameters security During runtime the malware determines the number of arguments passed during execution if the arguments passed are less than two the dropper proceeds to install itself as the following service --Begin service-- ServiceName mssecsvc20 DisplayName Microsoft Security Center 2 0 Service US-CERT MFR-10124171 BinaryF athName %current -m security -End service Once the malware starts as a service named mssecsch the dropper attempts to create and scan a list of IP ranges on the local network and attempts to connect using UDP ports 13 138 and TCP ports 139 445 If a connection to port 445 is successful it creates an additional thread to propagate by exploiting the vulnerability documented by Microsoft Security bulletin MSW-010 The malware then extracts and installs a PE32 binary from its resource section named This binary has been identi ed as the ransomware component of The dropper installs this binary into The dropper executes with the following command --Begin command-- Ii --End command Note When this sample was initially discovered the domain was not registered allowing the malware to run and propagate freely However within a few days researchers learned that by registering the domain and allowing the malware to connect its ability to spread was greatly reduced At this time all traffic to is re-directed to a monitored non malicious server1 causing the malware to terminate if it is allowed to connect For this reason1 we recommend that administrators and network security personnel not block traffic to this domain Details Name Size 3514363 Type executable GUI Intel 80336 for MS Windows M05 339 7c653c037'3be 54eeac23bbd4264687at 41 set ssdeep 93304 Qo Potht achS Entropy 79954669339 Antivirus Protect CAT-QuickHeal Malwarabytes KTGW K Antitrirus Arcablt Baidu F-Prot Symantec TrendMicro-HouseCall Paloalto ClamAV GData Kaspersky itDefender NANO-Antivirus AegisLab Avast Tenoent US-CERT MFR-10124171 RansomM BZWannaBEtdS B Ransom WannaCryBot Trojan i Trojan 095% th Ransom Wannacry Ransom_WC RY J genericml 3787 0 Win32 Trojan Ransom WannaCry A Trojan Ftansom Win32 Wanna b Trojan Win32 Wanna eorfmq Win32 WanaCry-A Trj Win32 Trojan Ftansome Vdfa oof ll Ad-Aware Emsisuit Comudo F-Secure DrWeb VIPHE McAfee GW Edition Sophas Cyren Jiangmin Webroot Avira Antiy-AVL ViFlubot ZoneAlarm Mlcrosa AhnLab-VS McAfee AVware Rising Ikarus Fortinet AVG Panda Whoa-360 MicroWurld-eScan nProtect CAT-GulckHeal Aura Malwarebytes KTGW K7AnIiVirus Arcabit Baidu F-Prot Symantec TrendMicru HouseCall Paloaltu ClamAV GData Kaspersky BitDetender NANO-Antivirus AegisLab Avast Tencent Ad-Aware Emsisuit US-CERT MFR-10124171 B Trojan Encoder 1 1 432 Trojan Win32 Generic BT BehavesLikeWin32 Backdoor wc MalManna A Trojan WanaCry b WBEHansomwareWcry TRIADHansomHeurandn Trojan Ransom Win32 Wanna b Ransom-Wannacryl85 21E64FFBD Trojan Win32 Generic BT Trojan Win32 Filecoder Itr Ransom_r CFY malicious_confidence_69% Win32fTrojan Fiansom 50f RansomeBE Wanna 351-4358 Ransom WannaCryB-3t Trojan 0050d7171 f Trojan Ransom Wannacry genericml Win32 Tr0jan-Ransom WannaCryA Trojan-Ransom Win32 Wanna b Win32 WanaCry A Trj Win32 Trojan Hansome Vdfa B 70f41 Comodo F-Seoure DrWeb VIPRE Trendlb llcro MoAfee-GW-Edition Sophos Cyren Jiangmin Webroot Avira Antiy-AVL ViFlobot ZoneAlarm Microsoft AhnLab-VS McAfee AVware ESET-NOD32 Rising lkerus Fortinet AVG Panda Qihoo-SGD PE Information Trojan Enooder 11432 Trojan Win32 Generio BT BehavesLike Win32 Backdoor wc MalManna-A W32Fl'rojanAHAZ 1193 Trojan WanaCry b W32Hansomware Wcry TRIADHansomHeuraexdn Trojan Ransom Win32 Wanna b Ransom Win32NVannaCrypi Trojan Win32 Generic BT Trojan Win32 Filecoder Itr Ransom_r CFY malicious_confidence_69% Win32fTrojan Fiansom 50f Compiled PE Sections Home MDS Raw Size Entropy header 1951321992339c99ca d29c40b1 8099393 4995 9 93889451 42 text 92919964050511 a5dde dd 00033fd541 a2 2861 6 4942351961 rdaia 24575 966357096341 data 33596e 3de8b59caoa bd430f3eb3349b B1 92 4 4557'4950787 rsrc 344 9332 199935 T0751 9 Packers Name Version Entry Point Microsoft Visual v6 0 NA NA Relationships tasksoheexe 36 21 Related_To res11 PNG 36721 Related_To b wnry c171 36721 Related_To c wnry ae Bi F tasksoheexe 36 21 Helated_To 5dcaa F 96 21 Related_To m_bulgarian wnry 956 3 iasksoheexe 36721 Fielatecl_To m_ohinese 9252 iasksoheexe 86 21 Fielated_To m_chinese 2efc3 86 21 Fielated_To 1 194 iasksoheexe 86721 Fielated_To m_ozeoh wnry 5379i 86 21 Related_To m_danish wnry 205 33 US-CERT MFR-10124171 8 0f41 86721 Flelated_To m_dutch wnry 7a8d4 86721 Fielated_To ieBBc 36721 Fielated_To Gabi-is 86721 Fielated_To 35c2f 86721 Related_To n1_french wnry 4e571 86721 Related_To m_german wnry 3d59b 86721 Related_To n1_greek wnry fb4eB 36721 Related_To m_indonesian wnry 3738f 36721 Related_To m_italian wnry 303120 86721 Related_To b77e1 36721 Related_Tc m_korean wnry 6735c 36721 Helated_To c33af 36721 Related_Tc ff70c 86721 Fleiated_To e79d7 86721 Fielated_To _portuguese wnry fa948 86721 Fielated_To m_romanian wnry 313e0 86721 Related_To 45261 86721 Related_To c911a 86721 Related_To 36721 Related_To m_swedish wnry c7a19 36721 Related_To m_turkish wnry 531ba 36721 Related_To m_vietnamese wnry 341% 86721 Related_To r wnry 3e002 36721 Flelated_To 025ac 36721 Related_Tc taskdlexe 4fef5 86721 Fielated_To taskseexe 84954 86721 Fielated_To u wnry 7bf2b 86721 Dropped_By 5bef3 Description This artifact is a malicious PE32 executable that has been identified as the ransomware component named Installed by the dropper component during run time installs itself as a service with the following attributes -Elegin service-- ServiceName 0 DisplayName BinaryPathName cmdexe c End service The malware creates the following registry key -Elegin registry key Subkey ValueName wd ValueData malware working directory -End registry key-- The file contains a password protected zip archive in its resource section named During runtime the malware extracts the archive contents using the password and installs the files on the victim's hard drive Displayed below are the files in the archive and their functionality Begin archive file list folder Contains multiple user manuals on different languages in RTF file format US-CERT MFR-10124171 9 of41 b wnry Ransom message image file used to replace user's wallpaper c wn 2 It contains the 02 servers hidden in the network TOR r wnry It explains what has happened and how to pay the ransom t wnry It has AES plug-in which is responsible for the victim users files s wnry TOR library that is imported by u wnry u wnry Interactive TOFI client that will enable a victim user to submit payment to the hackers via a secure session taskdlexe supportive file used to search for the string taskseexe supportive file for Ftemote Desktop Services --End archive files-- Screenshots 0 res11 PNG b wnry r wnry 5 Wnry taskdlue laskseme u wnry Jh modzl'lud 3H Hutu-ail 2- 3'1 Image 2 Files contained in this embedded archive in the resource section named 4da1 f31 2a21 4c0 1 43a beeafb695d 904 Details Name Size 449 7408 TYPE PE32 executable Intel 80386 tor MS Windows MDE SHA1 ssdeep b629t0 2c9241td2451f1cbca22901 9 e 2 anSe Entropy Antivirus Bkav MIcroWorId-eScan CAT-GulckHeal Malwarebytes AegisLab KVAntiVirus KTGW Baidu Cyren Symantec Paloalto US-CERT MFR-10124171 199683584716 W32 C od284 Trojan e098 Trojan GenericKD 4829301 Ransom enasom Backdoor W32 Farfli lc Riskware 004De 1 Riskware i W32rTrojanZEBS-1630 Ransom Wannacry a variant of genericml 10 of41 ClamAV Kaspersky itDefende-r NANO-Antivirus Avast Aid-Aware Sophos Comodo F-Secure DrWeb VIPRE TrendMicro McAfee-GW-Edition Emsisoff F-Prot Jiangmin Webroof Avira Fortinet Antiy-AVL Endgame Arcabit ViFIobot ZoneAlarm Microsoft AhnLab-VS McAfee AVware VBA32 Tencent Vandex lkarus GData AVG Panda PE Information Backdoor Win32 Farfli almr Trojan GenerioKD 4329301 Win32 Malware-gen Trojan GenericKD 4829301 MalfWanna-A TrojWare JS Trojan Download - Trojan GenericKD 4829301 Trojan Enooder 1 G71 8 Trojan Win32 Generic BT BehavesLikeWin32 DownIoader rc Backdoor Farllihde W32 Trojan Gen TFUDroppergafex malicious high confidence Trojan Generic D4QBO 5 BackdoorWin32 Farfli almr Ransom Win32iGenasom F312A214 Trojan Win32 Generic EiT Backdoor Farfli Win32 Trojan Raas Auto Trojan Filecoder g Trojan Win32 Filocoder Trojan GenericKD 4829301 TrijlA Compiled 2017-94-08T21 PE Sections Name MD5 Flaw Size header 4096 text 28672 rdata 24576 data 29 a4b B444 9ae022420 7d6a96b81 C49 81 92 rsrc f4b8 Dcdf5638bcabc3292 ee1 QeTe52 Bf 4431 872 Packers Name Version Entry Point Microsoft Visual v6 0 NA NA Relationships US-CERT MFR-101241711 Entropy 0 71057 2941802 6 1114 819166 6 5469 243496 499496673 35 79999601862 F Related TO S res22PNG Fielated_To F b wnry 0171 mm 1 Flelated_To 3908 I31 2a21 4c0T1 43abeeafb695d 904 Helated_-ro 5dcaa elated TO Emmy 02 Sac $131 131 25121 4c071 43abeeafb695d 904 elated_-ro F 39002 elated TO uwnry 7bf2b Description This artifact is a malicious PE32 executable that has been identified as the ransomware component normally named when dropped The dropper component that installs this file was not part of the submission It contains an embedded resource named This resource is a compressed archive that is protected with the password Wcr@123 This compressed archive contains the following files --Begin Files Within PK ArCl'llVE Name b wry M05 Name c wry Name m wry M05 Name r wry M05 Name s wry M05 Name t wry M05 Name u wry M05 -End Files Within PK Archive 0uring runtime the malware the Windows DLL contained in t wry by reading the first 8 bytes and comparing the data to the ASCII value If it matches the malware then reads 256 bytes of the file starting at byte 12 The malware then these 256 bytes using a hard coded private FISAZ key This produces the following 16 ber value -Elegin 128 Bit AES Key -End 128 Bit AES Key These 16 bytes will be used by an embedded AES algorithm to the actual data contained within the file beginning at byte 280 This reveals the embedded 0LL which will be utilized to the victim s files it is important to note that this newly DLL contains two hard coded keys During the process this DLL will generate a new pseudo random AES 128 bit key for each file it The target file is then with this AES key Next the AES key is using the hardcoded FISA1 key and tacked to the beginning 01 the file This DLL will attempt to files on the victim s primary hard drive as well as attached physical and network drives files are appended with a WCRY extension These files have a similar format to the file t wry in that the first 8 bytes will contain the ASCII value WANNACHY After this value there will be a four byte marker 0x00 0x01 0x00 0x00 followed by 256 bytes with the end marker 0x40 UXUD This marked 256 byte sequence contains the 123 bit AES key by RSA which may be used to the victim's data within the file US-CERT MFR-10124171 12 of41 Screenshots - lu' a n r b-Wo c wry m wry r-wcr awry t-wry I u wrg r Dotemcdifi 1pc 2 7 1331 all File All File 1- -l l'Ilr '7 - El 4 If EH Fll-i I 5 36 1 File Image 3 Files contained in this embedded archive in the resource section named b Wl1l'Y Details Name ownry Size 1440054 Type PC bitmap Windows 3 x format 300 500 24 M05 c171 T0262312t3bem27b02ca825bf c ssdeep Entropy 0 335339312356 Antivirus ESET-NODSZ Microsoft Ikarus GDsta Whoa-360 Microsoft lkarus GData Whoa-360 Relationships ownry F ownry Cl 17 F ownry 0171 Description This file is a bitmap image file depicting the ransom message and replaces the victim's wallpaper Screenshots - US-CERT MIFR-101241T1 Ransom Win32MannaCrypIAIrsm Troian Win32 Filecoder Trojan Generic Ransom Trojan Win32 Filecoder Trojan Generio Related_To Related_To F 86721 Related_To 4da1 t l30f41 Image 1 Ransom message image file used to replace user s wallpaper o wn ry Details Name ownry Size 7 80 Type data MD5 SHA1 ssdeep Entropyr 1 199061 66083 Antivirus Microsoft Microsoft Relationships F ownry anSt Related_To F tasksoheexe 86 21 F Fl c wnry anBil Ftelated_To 4 181 f F ownry 3908f Contains gx ekbenv2riucml onion c wnry ae08f Contains ownry anBf Contains ownry aeDBtl Contains 76idd2ir2embyv4 onion F ownry anSt Contains D Description This is a data tile which contains the C2 servers hidden within the TOR network Displayed below are samples observed during analysis --Begin 32-- gx ekbenu2riuomt onion xxlubrloxvriy2o onion US-CERT MIFR- 101241 1 14 of41 6jdd2ir2emhyy4 onion --End C2-- t wnry Details Name Size 6581 6 Type data MDE 5dcaac857e69536 5f5 c3ef1 441 aTSan SHM ssdeep Entropy 7 99 2 613 88 Antivirus MleroWorld-eScan Symantec TrendMicro HouseCall itDefender Act-Aware F-Secure Emsisoft Arcabit Microsoft Ikarus GData Qihoo-SED MlcroWorld-eScan Symantec TrendMicro HouseCall itDefender Ad-Aware F-Secure Emsisoft Arcabit Microsoft lkarus GData Qihoo-SED Relationships Trojan GenericKD 505 663 Trojan Gen B cloud Suspicious_GEN F4N6513 Trojan GenericKD 5057663 Trojan GenericKD 505 663 Trojan GenericKD 505 663 Trojan GenericKD 5057663 Trojan Generic D4D207F Trojan GenericKD 505 663 Trojan Generic Trojan Gen 8icloud Trojan GenericKD 5057563 Trojan GenericKD 5057663 Trojan GenericKD 5057663 Trojan GenericKD 505 663 Trojan Generic D4D207F Trojan Generic t wnry 5dcaal Ftelated_To F t wnry 5dcaa Fielated_To 4M1 f Description This artifact is a malicious PE32 executable containing the primary component responsible for performing the of the victim's files Importantly this file appears to be in the same manner in which the ransomware the victim s files This would suggest the if purchased from the adversary yia paid ransom would the victim's files in the same way m_bulgarian wnry Details Name US-CERT MIFR-101241T1 Size 4T879 Type Rich Text Format data version 1 unknown character set MD5 95673b01968c0155b3220436194Dd1 34 SHA1 ssdeep Entropy 435061166753 Antivirus ESET-NOD32 Win32iFi Win32iFi Relationships m_bulgarian wnry 95673 Flelated_To 85721 Description This artifact is an iormatted ransom note containing payment instructions written in Bulgarian m_chinese simplified wnry Details Name m_chinese Size 54359 Type Rich Text Format data version 1 unknown character set MDE 025 2d45ca21 cBe43c9742285c48e91 ad SHM 5c14551d2736ee13a1c1 97000492205e531703c1 ssdeep Entropy 5 015U9344454 Antlvirus WinBEi'Fi Relationships m_chinese simplified wnry 0252 1 Flelated_To BBT21 Description This artifact is an RTF iormatted ransom note containing payment instructions written in Chinese simplified m_chinese traditionalimnry Details Name m_chinese traditional wnry Size 79346 Type Rich Text Format data version 1 unknown character set M05 SHA1 ssdeep Entropy 490189108144 Antivirus Win32rFi Win32rFi Relationships Fl m_chinese traditionaliwnry 2efc3 Related_To F 86 211 Description US-CERT MFR-10124171 lo of41 This artifact is an RTF tormattecl ransom note containing payment instructions written in Chinese traditional m_oroatian wnry Details Name Size Type M05 ssdeep Entropy Antivirus m_croatian wnry seoro Rich Text Format data version 1 unknown character set 1 T194003taTDce4 T326ce2t5deeb2m e32 5983f63d327743926ea31 Facing 332f34Tfa73 5 037968784T3 Relationships F m_croatian wnry Description Related_To Fl 86721 This artifact is an RTF tormatted ransom note containing payment instructions1 written in Croatian m_czech wnry Details Name Size Type MD5 ssdeep Entropy Antivirus m_czech wnry 40512 Rich Text Format data version 1 unknown character set 360 945591 503594913469 Relationships Fl m_czech wnry 53Tet Description Related_To 867'21 This artifact is an lormatted ransom note containing payment instructions written in Czech m_danish wnry Details Name Size TYPE MD5 SHM ssdeep Entropy Antlvims m_danish wnry 37 045 Fiich Text Format data version 1 unknown character set 2c5a3b81 150471 5b bea01033367fcb5 5 023683023 1 US-CERT MIFR-101241T1 Relationships F m_danish wnry 2c5a3 Description Fielated_To F 36 21 This artifact is an RTF lormatted ransom note containing payment instructions written in Ddanish m_dutch wnry Details Name Size Type MD5 SHA1 asdeep Entropy Antivirus m_dutoh wnry 3698 Rich Text Format data version 1 unknown character set d343b Hdp2oG2iGzh 50351592059 Relationships Fl m_dutch wnry 738 14 Description Related_To F 86 21 This artifact is an lormatted ransom note containing payment instructions written in Dutch Details Name Size TYPE MD5 SHM ssdeep Entropy Antlvims Ftich Text Format data version 1 unknown character set fe68c2d00d24i 9b38f44d83f2fcf232e Ec6e49949 95721 5aa2f3dfb 220 d 249adl3 6233 384 8933H8j2cguALeT s szSE 4y 504061161642 Relationships feBEic Description Flelated_To 86 21 This artifact is an RTF formatted ransom note containing payment instructions written in English A sample of the text is shown below What Happened to My Computer Your important files are Many of your documents photos videos databases and other files are no longer accessible because they have been Maybe you are busy looking for a way to recover your files but do not waste your time Nobody can recover your files without our service Can I Recover My Files Sure We guarantee that you can recover all your files safely and easily But you have not so US-CERT MIFR-101241T1 enough timeYou can some of your files for free Try now by clicking But if you want to all your files you need to pay You only have 3 days to submit the payment After that the price will be doubled Also if you don t pay in 7 days you won't be able to recover your files forever We will have free events for users who are so poor that they couldn't pay in 6 months How Do Pay Payment is accepted in Bitcoin only For more information click About bitcoin Please check the current price of Bitcoin and buy some bitcoins For more information click How to buy bitcoins And send the correct amount to the address specified in this window After your payment click Gheck Paymenb Best time to check 9 00am - 11 00am GMT from Monday to Friday Once the payment is checked you can start your files immediately Contact If you need our assistance send a message by clicking Contact Usn-We strongly recommend you to not remove this software and disable your anti virus for a while until you pay and the payment gets processed If your anti-virus gets updated and removes this software automatically it will not be able to recover your files even if you pay m_1ilipino wnry Details Name Size Type M05 SHA1 ssdeep Entropy Antivirus m_filipino wnry 37 580 Rich Text Format data version 1 unknown character set 03b9e69b57e4c9b965664f8e1 2da1 T65ic0893 a4895 a85fa dv61 4N 504581932158 ESET-NOD32 Relationships m_filipino wnry DBer Description Ftelated_To tasksoheexe 86721 This artifact is an formatted ransom note containing payment instructions written in Filipino m_tinnish wnry Details Name Size TYPE MDS SHM ssdeep Entropy Antlvirus m_finnish wnry 383 Ftich Text Format data version 1 unknown character set 35c2f97eea381 9bt caebd23fee732d Bf 5 03093347336- Relationships m_finnish wnry 35c2f Description Flelated_To 857 21 This artifact is an RTF formatted ransom note containing payment instructions written in Finnish US-CERT MFR-10124171 m_trench wnry Details Name Size Type MD5 5HA1 ssdeep Entropy Antivirus m_irench wnry 3343 Rich Text Format data version 1 unknown character set 4e57113a6bl6b83fdd32732a4a331 2T4 i0i94453d91 B Dc6 94f71348711 061 5 0311266 651 ESET-NOD32 ESET-NOD32 Relationships F m_french wnry 49571 Description Related_To F This artifact is an RTF formatted ransom note containing payment instructions1 written in French m_german wnry Details Name Size Type MDE ssdeep Entropy Antivirus m_german wnry 37'181 Rich Text Format data version 1 unknown character set 954 0i459 Relationships m_german wnry 3d59b Description Related_To F This artifact is an iormatted ransom note containing payment instructions written in German n1 _greek wnry Details Name Size Type MDS ssdeep Entropy Antivirus m_greek wnry 49044 Rich Text Format data version 1 unknown character set fb4e8 1 Bieaa bb 4 9 2 ide800b424 1 18 BCTESBC ba385fe9 94e9ae34a65958 98i20aeb 4Q 431009563462 Relationships US-CERT MFR-10124171 20 of41 m_greek wnry 1438 Description Related_To 867 21 This artifact is an tormatted ransom note containing payment instructions written in Greek m_indonesian wnry Details Name Size TYPE MDE SHM ssdeep Entropy Antivirus m_indonesian wnry 37'1 96 Fiich Text Format data version 1 unknown character set 313 Bit-31 CBQ4dfc48t 3-1241 T699133 55b0f 503926854193 Relationships m_indonesian wnry 3 881 Description Ftelated_To 86 21 This artifact is an RTF iormatted ransom note containing payment instructions written in Indonesian m_italian wnry Details Name Size Type MD5 SHA1 ssdeep Entropy Antivirus 36883 Rich Text Format data version 1 unknown character set c4b'i 502804819173 Relationships 30a20 Description Ftelated_To F 86721 This artifact is an RTF formatted ransom note containing payment instructions written in Italian mJapanesemnry Details Name Size Type MD5 SHA1 ssdeep Entropy m_japanese wnry B1844 Rich Text Format data version 1 unknown character set 4 85025 8 01 US-CERT MIFR-101241T1 Antivirus TrendMioro-HouseCall NOTE Tenoent Win32 Trojan FilecoderPfte lkarus Trojan Win32 Filecoder NOTE RTF Tencent Win32 Trojan Filecoder P e lkarus Trojan Win32 File-coder Relationships m_japanesewnry b77913 RelaterLTo F BST21 Description This artifact is an RTF tormatted ransom note containing payment instructions written in Japanese m_korean wnry Details Name Size 91501 Type Rich Text Format data version 1 unknown character set MD5 SHA1 d536daf54d524f81 367ea92tdata3T260909oee1 ssdeep Entropy 434183050451 Antivirus Win32fFi ESET-NOD32 Win32fFi Relationships 6735c Ftelated_To 86721 Description This artifact is an tormatted ransom note containing payment instructions written in Korean US-CERT MFR-10124171 22 of41 m_latvian wnry Details Name Size Type MD5 ssdeep Entropy Antivirus 41169 Rich Text Format data version 1 unknown character set o33afb4 ecc 04ee1 bcc69 5 bea49 abe40 fbea4i1 i 384 8heftipU EN HchG2NerSi 4F 50306952962 ESET-NOD32 Relationships F m_latvian wnry o33af Description Related_To This artifact is an RTF formatted ransom note containing payment instructions1 written in Latvian Details Name Size Type MDE ssdeep Entropy Antivirus m_norwegian wnry 37'57 Rich Text Format data version 1 unknown character set TDcc cG 0951 0841 7511121 280902 399 8 384 8heftipU EN dv i Qy5 4N 502583582362 Relationships m_nomegian wnry T ci Description Related_To 86 21 This artifact is an iormatted ransom note containing payment instructions written in Norwegian n1 _po ish wnry Details Name Size Type MD5 ssdeep Entropy Antivirus 39896 Rich Text Format data version 1 unknown character set 31119156 12381 b81e1 6042aa c4ieb1 133312 baeb 4G 50485410024 Relationships US-CERT MIFR-101241T1 23 of41 m_polish wnry e79d7 Description Fleiated_To F 86721 This artifact is an tormatted ransom note containing payment instructions written in Polish _portuguese wnry Details Name Size TYPE MDE SHM ssdeep Entropy Antlvirus lkarus lkarus m_portuguase wnry Fiich Text Format data version 1 unknown character set caQ l Win32 utbreak Win32 0utbreak Relationships m_portuguese wnry ta948 Description Flelated_To 86 21 This artifact is an RTF formatted ransom note containing payment instructions written in Portuguese m_romanian wnry Details Name Size Type MD5 5HA1 ssdeep Entropy Antivirus m_romanian wnry 521 51 Rich Text Format data version 1 unknown character set 313eOececd24f4ta1504118a11 13137985 7'68 Shef3deXG2CinvBAOZsQODthn H49P SheherFi1 m4dx9mijAvg70uDT 4 96430694991 ESET-NOD32 Relationships F m_romanian wnry 313e0 Description Fielated_To F 86T21 This artifact is an formatted ransom note containing payment instructions written in Romanian m_russian wnry Details Name Size Type MDE SHA1 m_russian wnry 4 1 08 Rich Text Format data version 1 unknown character set 45251 5d b2335d603f 92057481 e4ca b5 US-CERT MIFR-101241T1 ssdeep 384 8heftipU EN L Shef3j 4K Entropy Antivirus ESET-NOD32 TrendMicro-HouseCall TrendMicro Microsoft Tencent lkarus ESET-NOD32 TrendMIcro-HouseCall Microsoft Win32 Trojan Filecoder Palq Trojan Win32 Filecoder Ransom Win32r'u'VannaCrprAIrsm Tencent Win32 Trojan Filecoder Palq lkarus Trojan Win32 Filecoder Relationships m_russian wnry 45251 Description FIelated_To F tasksc he exe 85 T21 This artifact is an formatted ransom note containing payment instructions written in Russian m_slovak wnry Details Name Size Type M05 ssdeep Entropy Antivirus m_slovak wnry 41391 Rich Text Format data version 1 unknown character set 4i 50233095628 ESET-NOD32 Relationships F m_slovak wnry c911a Description Fielated_To F 36721 This artifact is an RTF lormatted ransom note containing payment instructions written in Slovak m_spanish wnry Details Name Size Type MDE ssdeep Entropy An vhus m_spanish wnry 37381 Rich Text Format data version 1 unknown character set 2091 e42fc1 Ta cc2l2 aadBTabeba22c2 S Shei3derG2futhS1 4T 502443366561 US-CERT MIFR-101241T1 ESET-NOD32 Relationships F m_spanish wnry Bd616 Description Relatedjo F 86 21 i This artifact is an RTF formatted ransom note containing payment instructions1 written in Spanish m_swedish wnry Details Name Size Type MDE SHA1 ssdeep Entropyr Antivirus m_swedish wnry 38483 Rich Text Format data version 1 unknown character set c a1 9984eo9f3 198652eal2fd1ee25c U e ate d025cf8c4d 6966 be 82ab005e1 bd a ae 384 8heftipU EN dv l OyE Shef3j 4w 5 0229727 3563 Relationships m_swedish wnry c7a19 Description Related_To F 85121 This artifact is an RTF lormatted ransom note containing payment instructions written in Swedish m_turkish wnry Details Name Size Type MDS SHM ssdeep Entropy Antivirus m_turkish wnry 42582 Rich Text Format data version 1 unknown character set 531 11136131 a54601c944694 6i91 cc 3129413 cc569 8681 bd546fd82d8 926b5d9905092a5803 334 8heftipU EN szureoF S Y3 kmA31 dv61 OyZ Shef3desi 32moZrS149 5010722370 Relationships m_turkish wnry 531ba Description Related_To 86721 This artifact is an RTF formatted ransom note containing payment instructions written in Turkish m_vietnamese wnry Details Name Size Type MD5 m_vietnamese wnry Rich Text Format data version 1 unknown character set US-CERT MFR-10124171 2e4791f9cdfca3abf345d606f31 3d22 b36c46 i392 ssdeep 384 8heftipU EN 4i Entromir 4 7132061 349 Antivirus TrendMicro-HouseCail TrendMicro Microsoft Tencent lkarus GData TrendMicro HoussCail TrendMicro Microsoft Tencent Ikarus GData Relationships m_vietnamese wnry 8419b Description Win32 Trojan Filecoder xmn Trojan Win32 Filecoder Script Trojan Agent 54KlMFi Win32 Trojan Filecoder xmn Trojan Win32 Filecodsr Script Trojan Agent 54K MFi Related_To F 86721 This artifact is an RTF formatted ransom note containing payment instructions written in Vietnamese r wnry Details Name r wr1ry Size 864 Type ASCII text with line terminators MD5 Set 020f0529b1 02a051 01 de2459ba96 33391 Bade ssdeep Entropy 4 53351 847'801 Antivirus TrendMicro-HouseCail AegisLab Microsoft Tencent lkarus GData Gihoo-SEO TrendMicro-HouseCall TrendMicro AegisLab Microsoft Tencent lksrus US-CERT MIFR-101241T1 Troj Fiansomnote Auscqt c Win32 Trojan Filecoder Lkds Trojan Win32 Filecoder Trojan Generic Troj Fiansomnote Auscqtic Ransom Win32iWannaCryp1A rsm Wi n32 Trojan Filecoder Trojan Win32 Filecoder 27 of41 GData Script Trojan Agent 88XD FC Qihoo-SGD Trojan Generic Relationships F r wnry 3e002 F r wnry 36002 Description This is a data lile that explains what has happened and how to pay the ransom s wn ry Details Name Size 2268 Related_To Related_To F 88721 F 4da1f Type Zip archive data at least v1 0 to extract MD5 025 ac29tc58525TcaOa031 de71 f201 bi SHA1 55ed034 545871 def9a408599484ad T81 05158340 ssdeep nOidCai Entropy 188860880888 Antivirus No matches found Helationsh ips F 025ac F s wnry 0253c Description Relate- LTD Related_To F 86721 F 4da1f TOR library that is imported by u wnry taskdl EXE Details Name taskdlexe Size 20480 Type PE32 executable GUI Intel 80388 for MS Windows MD5 4fef5e341 436848dbf080k4374276f5 SHA1 4Ta8ad41 25b0 bd7c55e4er a251 e23f0884 0Tb8f ssdeep 882Ud080530e1thaLYjJ 208 wseD Mvi30j Ptboyni Entropy 816548454088 Antivirus MicroWorld-eScan Protect CAT-QuickHeal McAfee Malwarebytes VIPHE K7GW KTAntiVirus TrendMicro F-Prot Symantec US-CERT MIFR-101241T1 Trojan GenericKD 505 554 Ransomrw32 WannaCry 20480 TrojanHansom Agent Ransom-O Trojan Win32 Generic BT Trojan i 000114031 Trojan 0001140e1 Ransom_WCRY l Ransom Wannacry 28 of41 TrendMicru HouseCall Paloaltu Kaspersky BltDefender Vi obat Avast Ad-Aware Sophos Comodo F-Secure DrWeb McAfee-GW-Edition Emsisuit Cyren Webroot Avira Fortinel Antiy-AVL Arcabit AeisLab ZoneAlarm Microsoft AhnLab-VS AVware Tencent lkarus GData AVG Panda Gihoo-SEO MicroWorld-eScan nProtect CAT-QuickHeal McAfee Malwarebytes VIPRE K7GW K An1Wirus F-Proi Symantec Trenlelicro-HouseCall Paloalto Kaspersky BitDefender NANO-Antivirus US-CERT MFR-10124171 Ransom_WCF1Y genericml Trojan HansomWinSE Agent aapw Trojan GenericKD 505 554 Win322WannaCry-B Trj Trojan GenericKD 5057554 TroyWanna-C UnclassifiedMalware Trojan GenericKD 505 554 Trojan Encoder 11432 Ransom CI Trojan GenericKD 505 554 Trojan WanaGry j Trojan Generic D4D2 312 Troj Ransom W32 Agent c Trojan Ransom Win32 Agent aapw Trojan Win32 Generic BT Win32 Trojan Hansomlockeermb Trojan Win32 Filecuder Trojan GenericKD 505 554 Trojan eneric Trojan GenericKD 5057554 RansomN h EEWannaCryED-tlao TrojanHansom A-gent Ransom D Trojan Win32 Generic BT Trojan 000114061 Trojan 000114031 Ransom_WCRY Ransom Wannacry Ransom_WC genericml Trojan Ransom Win32 Agent aapw Trojan GenericKD 505T554 Trojan Win32 Agent eopwdw 29 0f41 Vi obot Avast Act-Aware Sophos Comodo F-Secure DrWeb McAfee-GW Edition Emsisott Cyren Jiangmin Webroot Avira Fortinet Antiy-AVL Arcabit AegisLab ZoneAlarm Microsoft AhnLab-VS AVware Tencent Ikarus GData AVG Panda PE Information Win32 WannaCry B Trj Trojan Generici D 5057554 TrojIWanna C UnclassifiedMalware Trojan GenericKD 505 554 Trojan Encoder 11432 Ransom-C Trojan GenericKD 5057554 Trojan WanaCry j THiFileCoder 724611 TrojanMin32 TGeneric Trojan Generic D4D2012 Troj Ftansom W32 Agenl c Trojan-Ransom Win32 Agent aapw Trojan Nin32 HDC 061115 Trojan Win32 Generic BT Win32 Trojan Ransomlookeermb Trojan Win32 Filecoder Trojan GenericKD 505 554 Trojan Generic Compiled PE Sections Name M05 Flaw Size header 51 That 733685046t9e1 29t76f2906642 4096 text c9aa64fe6d9efc3ei'be627442c01 2f0 4096 rdata 4096 data cz cb 29fed9abe0e95d3d6264cd5 4096 rsrc aSibaibt 8686 e9366dc 5c291 920c441 4096 Packers Name Version Entry Point Microsoft ltulisual v6 0 Fielationsh ips taskdlexe 4fet5 Description NA NA Reiatedjo F 96721 Entropy 0647544716167 266441166404 0 10561 2474489 371611137019 This artifact is a PE32 executable designed to search for the string on all installed drives on the system taskse exe Details Name taskseexe US-CERT MIFR-101241T1 Size 20480 Type MD5 SHA1 ssdeep Entropy Antivirus MicroWorId-oScan Protect CAT-GulckHeal McAfee Malwarebytes KTGW K7AnliVirus TrendMicro F-Prot Symantec TrendMioro-HouseCall Paloalto GData Kaspersky ItDefender NANO-Antlvirus ViRobol AegisLab Sophos Comodo F-Secure DrWeb VIPRE McAfee-GW Edition Emsiso Cyren Webrooi Mira Antiy-AVL Arcabit ZoneAlarm Microsoft AVG AhnLab-V3 AVware Ad-Aware Panda Tencent lkarus Fortinel US-CERT MFR-10124171 PE32 executable GUI Intel 80386 for MS Windows 849 5400f1 99ac 7853653b533f273f36 252525096181 Trojan GenericKD 5057859 RansomiWSE Zapchast 20480 B TrojanransomZapchast Ransom-O Trojan 006114091 3 Trojan 0001140e1 Ransom_WC RYJ Ransom Wannacry Ransom_WCFW l genericml Trojan GenericKD 505 859 Trojan-Ransom Win32 Zapchasl i Trojan GenericKD 505 859 Trojan Win32 Zapchast eupvwc Troj Ransom W32 c TroyWanna-C UnclassifiedMalware Trojan GenericKD 505 359 Trojan Encodem 1432 Trojan Win32 Generic BT Ransom O Trojan GenericKD 5057859 TrojanZapchasteu TFla'FileGoder324B4'I-l Trojanr'WinsaTGeneric Trojan Generic D4D2D43 Trojan-Ransom Win32 Zapchasl i Trojan Win32 Generic BT Trojan GenericKD 505 859 Trojan Win32 Filec0der W32fZapchastDItr 310f41 Avast Qihoo-SGD MioroWorId-eScan nProtect CAT-GulckHeal McAfee Malwarebytes KTGW K7AnliVirus TrendMicro F-Prot Symantec TrendMioro-HouseCall Paloalto GData Kaspersky BItDefencler NANO-Antlvirus ViRobol AegisLab Sophos Comodo F-Secure DrWeb VIPRE McAfee-GW-Edition Emsiso Cyren Webrooi Mira Antiy-AVL Arcabit ZoneAlarm Microsoft AVG AhnLab-VS AVware Ad-Aware Panda Tencent lkarus Fortinel Avast Gihoo-SGD PE Information Win32 WannaCry A Trj TrojanGeneric Trojan GenericKD 5057359 Ransomiw32 Zapchast 20480 B Trojanransom Zapchast Ransom-O Trojan Trojan i 000114Ue1 Ransom_WC RYJ RansomWannacry Ransom_WCFiY genericml Trojan GenericKD 5057359 Trojan-Ransom Win32 Zapchasl i Trojan GenericKD 505 859 Trojan Win32 Zapchast eopvwc Troj Ransom W32 c TrojIWanna-C UnclassifiedMalware Trojan GenericKD 5057359 Trojan Encoder 11432 Trojan Win32 Generic BT Ransom O Trojan GenericKD 505 859 iEi W32iTrojan FXSJ 2552 Trojan Zapchast eo W32 Flansom Wanaorypior TrojanMin32 TGeneric Trojan Generic D4D2D43 Trojan-Ransom Win32 Zapchasl i Trojan Win32 Generic BT Trojan GenericKD 5057359 Trojan Win32 Filocoder W32fZapchastDItr Win32 WannaCry-A Trj Trojan Generic Compiled PE Sections US-CERT MIFR-101241T1 32 0f41 Name MD5 Raw Size Entropy header 4096 text 2 ba eebe222f1 1600c05d3551dd3120 4096 3 29976908335 rd ala 4090 1 051 05359922 data 5 8492581 8bc1 b135214e328323bBT'93 4096 0 99 5850341 rsrc Baed2 b334 i1 Tf0135893d895d6 4096 3 721 14 003 Packers Name Version Entry Point Microsoft Visual v9 0 NA NA Relationships F taskseexe 94954 Fleisted_To 96721 Description This artifact is a PE32 executable designed to support Fiemote Desktop Services u wnry Details Name Size Type HIDE SHA1 sedeep u 'l'1 rnr1 r 245 760 Entropyr Antlvirus MlcroWorld-eScan Protect CAT-GuiokHeal McAfee Malwarebytes VIPRE KTGW K AntiVirus Cyren Symantec Avast ClamAV Kaspersky itDetender NAND-Antivirus Paloalto Vi obot Tencent Act-Aware Emslsott Comodo F-Secure US-CERT MIFR-101241T1 PE32 executable GUI Intel 80386 for MS Windows 6 2 392040839 Trojan GenericKD 505 855 Ransomm32 Wanna 245790 TrojanHansomWanna Ransom-C Trojan Win32 Generio BT Di Trojan 0001140131 Trojan 000114061 Ransom Wannacry Win32 WanaCry-A Trj Win Trojan Agent-6312824-0 Trojan-Ransom Win32 Wanna c Trojan GenericKD 5057355 Trojan Win32 Wannaeottwl genericml Win32 Trojan Hansomlockeermh Trojan GenericKD 505 850 Trojan GenericKD 505 855 Trojan GenericKD 505 856 33 of41 DrWeb Trendl'u'licra McAfee-GW Editiun F-Prot Webroai Mira Fortinel Antiy-AVL Arcabit AegisLab ZuneAlarm Microsoft Sophus AhnLab-VS AVware Hlsing lkarus GData AVG Panda Jinan-360 MicroWorId-eScan nProtect CAT-QuickHeal McAfee Malwarebytes VIPRE K7GW K AntWirus Cyren Symantec TrendMicro-HouseCall Avast ClamAV Kaspersky BitDefende-r NANC-Antivirus Paloalto Vi abot Tencent Ad-Aware Emsiso Comodo F-Secure DrWeb TrendMicro McAfee-GW Editiun US-CERT MFR-10124171 Trojan Encoder 1 1 432 Ransom O Trojan WanaCry a 411132 Flansnm1 11 31nnacryr THIFileGoderJ24f-345 W321Genl ryptik1 C25ltr TrojanMinSEDeshacop Trojan Generic D4D2D4 Uds DangerousobiectMultiIc Trojan Ransom Win32 Wanna c Troja'Wanna D Trojan Win32 Generic BT Malware Generic 5 tfe cloud szBq30iMV Trojan Win32 Filecuder Win32 Trojan-Ransom WannaCryE Generic_r SSZ Wi n32fTrojan Mu Iti daf Trojan GenericKD 5057355 RansomM32 Wanna 245 60 TrojanHansom Wanna Ransom O Trojan Win32 Generic BT malicious_c0nfidence_50% D Trojan 000114031 Trojan 000114081 Ransom Wannacry Win32 WanaCry A Trj Trojan Ransom Win32 Wanna c Trojan GenericKD 505 855 Trojan Win32 Wannaeotlwl genericml Trojan GenericKD 5057856 Trojan GenericKD 5057856 Trojan GenericKD 505 355 Trojan Encoder 11432 Ransom O 34 0f41 F-Prot Jiangmin Webroot Avira Fortinet Arcablt AegisLab ZoneAlarm Microsoft Sophos AhnLab-V3 AVware Flising Ikarus GData AVG Panda Gihoo-SEO PE Information TrojanWanaCrva WSEHansomWannaCrv FileCoder 24645 C25ltr TrojaniWinSEDeshacop Trojan Generic D4D2D4 l UdsDangerousobjectMulti lc Trojan-Ransom Win32 Wanna c TroiiWanna D Trojan Win32 GenericlElT Malware eneric ltfe cloud 3szq30iMV Trojan Win32 Filecoder Win32 Trojan-Ransom WannaCrvE Generic_r SSZ Wi n32 'rojan Mu Iti daf Compiled PE Sections Name MD5 Flaw Size Entropy header 40 96 0 7533567285 text c ede1 0541913 372019fa9715883be49 81920 6 241 006622712 rd ata SaBQaacESc 40 960 5 8 1 835 3427'1 data 12288 432665302653 rsrC 106496 563519234495 Packers Name iil'ersion Entry Point Microsoft Visual v6 0 NA NA Relationships F u wnrv Ublzb Fleiated_To F 86721 F u-wnry Related TO F Description 4 131 11 This artifact is an interactive TOR client which will enable a victim to submit payment to the hackers via a secure TOR session Domains iuqerfsod URI I Pads -80 HTTP Sessions 0 GET I 1 US-CERT MFR-101241711 Host Cache-Control no-cache Whois Domain Name Registrar NAMECHEAP INC Sponsoring Registrar IANA ID 1063 Whois Server whoishamecheaocom Referral URL Name Server Name Server NSESINKHOLETECH Name Server Name Server Status clientTransferProhibited Updated Date 12 may-201 7 Creation Date 12-may-2D17 Domain name Registry Domain ID 212351 Registrar Server whois namecheap com Registrar URL Updated Date Creation Date Registrar Registration Expiration Date Registrar NAMECHEAP INC Registrar IANA ID 1068 Registrar Abuse Contact Email Registrar Abuse Contact Phone 1 6613102107 Reseller NAMECHEAP INC Domain Status clientTransferProhibited Domain Status addPeriod Registry Registrant ID Registrant Name Botnet Sinkhole Registrant Organization Registrant Street Botnet Sinkhole Registrant City Los Angeles Registrant StatetProvince CA Registrant Postal Code 00000 Registrant Country US Registrant Phone Registrant Phone Ext Registrant Fax Registrant Fax Ext Registrant Email Registry Admin ID Admin Name Botnet Sinkhole Admin Organization Admin Street Botnet Sinkhole Admin City Los Angeles Admin Stater Province CA Admin Postal Code 013000 Admin Country US Admin Phone Admin Phone Ext Admin Fax Admin Fax Ext Admin Email Registry Tech ID Tech Name Elotnet Sinkhole Tech Organization Tech Street Botnet Sinkhole Tech City Los Angeles Tech StaterProvince CA Tech Postal Code ODUDU Tech Country US Tech Phone 0 00000000000 Tech Phone Ext Tech Fax Tech Fax Ext US-CERT MFR-10124171 36 of41 Tech Email Name Server nsi sinkholeJech Name Server ns2 sinkhole tech Name Sewer nsSsinkholeJeoh Name Server ns4 sinkhole tech DNSSEC unsigned URL of the ICANN WHOIS Data Problem Reporting System 92 Last update of WHOIS database Relationships U alga r150 dpgi apos mm Flelated_To ergwea com D Related To P 30 Ralated Charactenzed By Domam Name' IUOERFS com Connectedjrom Fl abEllJ c2 Shela gx ekbenv2riucmf onion Relationships gx ekbenv2riuomf onion Contained_Within ownry aeDSf Relationships Contained_Within Fl ownry anSt Relationships D Contained_Within ownry anElfi T jdd2ir2embw4 onion Relationships Contained_Within ownry ae afl Contained_Within c wnry ae Bf Relationship Summary Fl 5bef3 Connected_To FD F 5bef3 Dropped 86 21 D U I Related_To ergwea com D Related To P so - Flelated_To H GET 1 US-CERT MFR-10124171 3T 0f41 D F 36721 F 86 21 F 86 21 F 86 21 F 36721 F 36721 F 36721 F 86721 F 36721 F 36121 F 36321 F 86721 F 36721 F 86 21 F 86 21 F 86 21 F 86 21 F 361 21 F 36721 F 36721 F 36721 F 86721 F 36721 F 86 21 F 86 21 F 86721 F 86 21 F 86721 F 86 21 F 86 21 F 36721 F 361 21 F 36321 F 36721 F 36 21 F 86 21 F 86 21 F 86 21 F 4da1 1131 2a21 4c0 1 43abeeafb695d 904 40511 1 F 4da1 1 F 40511 1 F 4da1 1 F 4da1f US-CERT MFR-10124171 haracterized_By Connectedjrom Helatedjo Flelated_To Helated_To Relate- LTD Helated_To Related_To Related_To RelatecLTo Helated_To HelatecLTo Flelated_To FlelatecLTo Helated_To Flelated_To Flelated_To Flelated_To Flelated_T0 Related_To Helated_To Related_To Helated_To RelatecLTo Helated_To FlelatecLTo Flelated_To FlelatecLTo Flelated_To Helated_T0 Flelated_To Helatedjo Related_To Related_To Flelated_To RelatecLTo Helated_To HelatecLTo Flelated_To Dropped_By Flelated_To HelatecLTo Related_To Relate- LTD Helated_To W Domain Name IUQERFS F 5061354961000098416321401 5033137132 51366 S res11PNG F F c wnry 218081 F 5dcaa F m_bulgarian wnry 9561 3 F m_chinese simplified wnry 0252 1 F m_chinese Eefcii F m_cr0atian wnry 1 194 F 537ef F m_danish wnry 2c533 F m_dutch wnry 751304 F m_english wnry fa-680 F 081393 F m_finnish wnry 35c2f F m_french wnry 495 1 F m_german wnry 3d59b F m_greek wnry fb4eB F 37881 F 305120 F mJapanesewnry bT7e1 F m_korean wnry 5735c F m_latvian wnry cSSaf F 1110 F e79d F m_portuguese wnry fa948 F 31360 F c9113 F 8 161 6 F m_swedish wnry c a19 F m_turkish wurnr5 r 531ba F m_vietnamese wnry 841911 F r wnry 39002 F s wnry 02531 F taskdl exe 4fef5 F taskseexe 34954 F u wnry 713120 F 513313 i i i i i F m_russian wnry 45261 i i i i S F b wnry c1717 F c wnry ae031 F 5dcaa F s wnry 02530 38 0f41 F 4da1 i F 4da1 i F b wnry 61717 F b wnry 31717 F b wnry 01717 S S res11 PNG S res22 PNG F c wnry ae66f F C wnry aeDBf F c wnry 36661 F ownry 88061 F ownry aeDBi F c wnry as-061 F c wnry ae66f D gx7ekbenv2riucmfonion D D D 76 dd2ir2embyv47 onion D F i wnry 5dcaa F Edoaa F m_bulgarian wnry 65673 F m_chinese simplified wnry 0252 F m_chinese traditional wnry 2 3ch F m_croatian wnry 17194 F 5376' F m_danish wnry 205513 F m_dutch wnry 72161214 F m_snglish wnry 19660 F m_filipino wnry 36st F m_finnish wnry 35021 F 49571 F m_german wnry 36566 F H3496 F 37661 F m_italian wnry 365120 F mJapanesewnry D7761 F 67350 F m_latvian wnry o33af F 11700 F 979 1 F m_romanian wnry 31336 F m_russian wnry 45261 i i F _por1ug fa94 8 F m_slovak wnry 0611a US-CERT MFR-10124171 Relate- LTD Helated_To Fielated_To Fielated_To Related_To Helated_To Fleiated_To Fleiated_To Relatsd_To Helatedjo Contains Contains Contains Contains Contains Contained_Within Contained_Within Contained_Within Contained_Within Contained_Within FleiatecLTo Related_To FielatecLTo Helated_To Fleiated_To HelateoLTo Fleiated_To Fleiated_To Relate- LTD Fleiated_To Helatsdjo Relatedjo Related_To Fielated_To Fielatedjo Fleiated_To FielatecLTo Helatedjo Fielated_To HelateoLTo Relate- LTD Fleiated_To Flelated_To Related_To Relatsd_To Related_To F r wnry Be-002 F u wnry 7612 S F 66721 F 4da1131 2a214507143abeeafb695d904 462111 F b wnry 01717 F 66721 F 4da1131 2a214cO7143abeeafb665d664 4da1 f F 66721 F 4da1131 2a214007143abaeaib6956904 4da1 i D gx7ekbenv2riucmf onion D D D 76jdd2ir2embyv47onion D F c wnry aeI661 F ownry 219061 F ownry 219061 F ownr r 316661 F c wnry 616081 F 66721 F 4da1131 2a214COT1436beeabe-95d904 4da1 f F 66721 F tasksohesxe 66721 F 66721 F 86 21 F 36721 F 86721 F 66721 F 66721 F 66721 F 66721 F 66721 F 66721 F 66721 F tasksoheexe 66721 F 66721 F 66721 F 66721 F 86721 F 66721 F 66721 F 66721 F 66721 F 66721 F 66721 39 of41 F m_spanish wnry 8d616 Related_To F 86721 m_swe Is wnry a sac tas sc e exe F d 7 19 F 86 21 m_tur Is wnry a eate 0 tea as e exe F k' 531b I F 86721 F m_vietnamese wnry 8419b Related_To F 86 21 r wn eate tas sc e exe 86 21 ry F 4da1f31 2a214c 1435beeafb695d904 F r wnry 3e002 Related_To 4 131 f F s wnry 025ac Related_To F 36 21 F 4da1f31 2a214c07143abeeafb695d904 F s wnry 0253c Flelated_To I4da1 f F taskdlexe 4lef5 Related_To F F taskseexe 84954 Related_To F 36721 F u wnry bf2b Related_To F 36721 F 4da'l f3 2a214cOT143abeeafb695d904 F u wnry be2b Flelated_To 4da1 I D Related_To iuqe I130 dpgi apo Sdiihgosurijfaewmergweamm D P 30 D GET '1 W Domain Name IUQERFS Characterizes D Mitigation Recommendations would like to remind users and administrators of the following best practices to strengthen the security posture of their organization's systems - Maintain up to-date antivirus signatures and engines Restrict users' ability permissions to install and run unwanted software applications 0 Enforce a strong password policy and implement regular password changes 0 Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known 0 Keep operating system patches up to date - Enable a personal firewall on agency workstations 0 Disable unnecessary services on agency workstations and servers 0 Scan for and remove suspicious e-mail attachments ensure the scanned attachment is its true file type the extension matches the file header - Monitor users' web browsing habits restrict access to sites with unfavorable content I Exercise caution when using removable media USE thumbdrives external drives CDs etc 0 Scan all software downloaded from the Internet prior to executing 0 Maintain situational awareness of the latest threats implement appropriate ACLs Contact Information - 1-388 232 0870 0 UNCLASS SIPRNET - JWICS US-CERT continuously strives to improve its products and services You can help by answering a very short series of questions about this product at the following URL Document FAQ What is a A Ivlalware Initial Findings Report MIFR is intended to provide organizations with malware analysis in a timely manner In most instances this report will provide initial indicators for computer and network defense To request additional analysis please contact and provide information regarding the level of desired analysis US-CERT MFR-10124171 4U of41 Can I edit this document This document is not to be edited in any way by recipients All comments or questions related to this document should be directed to the US-CEFIT Security Operations Center at 1-888-282-08 0 or soc us-cert ov Can I submit malware to Malware samples can be submitted via three methods Contact us with any questions 0 Web - E-Maii I FFP ftp malware us-certgovfmalware anonymous USS-CERT encourages you to report any suspicious activity including cybersecurity incidents possible malicious code software vulnerabilities and phishing related scams Reporting forms can be found on homepage at US-CERT MFR-10124171 41 of41 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu